The key is to make sure the SQL is secure by itself. This is true regardless of what persistence technology you use. The most important rule is to make sure you always use bind variables (? in JDBC) for any data that could be supplied by the user.